Hackers also get our passwords through trickery. The most well-known technique is phishing, which involves mimicking a familiar site and asking users to enter their login information.
Steven Downey, CTO of Shipley Energy in Pennsylvania, described how this technique compromised the online account of one of his company's board members this past spring. The executive had used a complex alphanumeric password to protect her AOL email. But you don't need to crack a password if you can persuade its owner to give it to you freely. The hacker phished his way in: He sent her an email that linked to a bogus AOL page, which asked for her password.
She entered it. After that he did nothing. At first, that is. The hacker just lurked, reading all her messages and getting to know her. He learned where she banked and that she had an accountant who handled her finances. He even learned her electronic mannerisms, the phrases and salutations she used. An even more sinister means of stealing passwords is to use malware: hidden programs that burrow into your computer and secretly send your data to other people. According to a Verizon report, malware attacks accounted for 69 percent of data breaches in They are epidemic on Windows and, increasingly, Android.
Malware works most commonly by installing a keylogger or some other form of spyware that watches what you type or see. Its targets are often large organizations, where the goal is not to steal one password or a thousand passwords but to access an entire system. One devastating example is ZeuS, a piece of malware that first appeared in Clicking a rogue link, usually from a phishing email, installs it on your computer. Then, like a good human hacker, it sits and waits for you to log in to an online banking account somewhere. As soon as you do, ZeuS grabs your password and sends it back to a server accessible to the hacker.
Targeting such companies is actually typical. Essentially, he's the guy in charge of figuring out how to get us past the current password regime. Until we figure out a better system for protecting our stuff online, here are four mistakes you should never make—and four moves that will make your accounts harder but not impossible to crack. If our problems with passwords ended there, we could probably save the system. We could ban dumb passwords and discourage reuse.
We could train people to outsmart phishing attempts. Just look closely at the URL of any site that asks for a password. We could use antivirus software to root out malware. But we'd be left with the weakest link of all: human memory. Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there's a very good chance you'll forget it—especially if you follow the prevailing wisdom and don't write it down. Because of that, every password-based system needs a mechanism to reset your account.
And the inevitable trade-offs security versus privacy versus convenience mean that recovering a forgotten password can't be too onerous. That's precisely what opens your account to being easily overtaken via social engineering. Although "socialing" was responsible for just 7 percent of the hacking cases that government agencies tracked last year, it raked in 37 percent of the total data stolen.
- Life Before Birth: The Moral and Legal Status of Embryos and Fetuses.
- Gender in Bolivian Production (Country Studies)?
- Browse by Topic;
Socialing is how my Apple ID was stolen this past summer. The hackers persuaded Apple to reset my password by calling with details about my address and the last four digits of my credit card. Because I had designated my Apple mailbox as a backup address for my Gmail account, the hackers could reset that too, deleting my entire account—eight years' worth of email and documents—in the process. They also posed as me on Twitter and posted racist and antigay diatribes there.
After my story set off a wave of publicity, Apple changed its practices: It temporarily quit issuing password resets over the phone. But you could still get one online. And so a month later, a different exploit was used against New York Times technology columnist David Pogue. This time the hackers were able to reset his password online by getting past his "security questions. You know the drill. To reset a lost login, you need to supply answers to questions that supposedly only you know. Answers to the first two were available on Google: He had written that a Corolla had been his first car, and had recently sung the praises of his Toyota Prius.
The hackers just took a wild guess on the third question. It turns out that at the dawn of the new millennium, David Pogue, like the rest of the world, was at a "party. With that, the hackers were in. They dove into his address book he's pals with magician David Blaine! OK, you might think, but that could never happen to me: David Pogue is Internet- famous, a prolific writer for the major media whose every brain wave goes online.
But have you thought about your LinkedIn account? Your Facebook page? Your kids' pages or your friends' or family's? If you have a serious web presence, your answers to the standard questions—still often the only options available—are trivial to root out. Your mother's maiden name is on Ancestry. The ultimate problem with the password is that it's a single point of failure, open to many avenues of attack. We can't possibly have a password-based security system that's memorable enough to allow mobile logins, nimble enough to vary from site to site, convenient enough to be easily reset, and yet also secure against brute-force hacking.
Books by Jim Duffy
But today that's exactly what we're banking on—literally. Who is doing this? Who wants to work that hard to destroy your life? The answer tends to break down into two groups, both of them equally scary: overseas syndicates and bored kids. The syndicates are scary because they're efficient and wildly prolific.
Malware and virus-writing used to be something hobbyist hackers did for fun, as proofs of concept. Not anymore. Sometime around the mids, organized crime took over. Today's virus writer is more likely to be a member of the professional criminal class operating out of the former Soviet Union than some kid in a Boston dorm room.
There's a good reason for that: money. Moreover, they are targeting not just businesses and financial institutions but individuals too. Russian cybercriminals, many of whom have ties to the traditional Russian mafia, took in tens of millions of dollars from individuals last year, largely by harvesting online banking passwords through phishing and malware schemes.
In other words, when someone steals your Citibank password, there's a good chance it's the mob.
- Indian War Veterans: Memories of Army Life and Campaigns in the West, 1864-1898.
- Head and Neuroanatomy (Thieme Atlas of Anatomy, Volume 3).
- Why Do I, Dying, Live??
But teenagers are, if anything, scarier, because they're so innovative. The groups that hacked David Pogue and me shared a common member: a year-old kid who goes by the handle "Dictate. He's just calling companies or chatting with them online and asking for password resets. But that does not make him any less effective. He and others like him start by looking for information about you that's publicly available: your name, email, and home address, for example, which are easy to get from sites like Spokeo and WhitePages.
Then he uses that data to reset your password in places like Hulu and Netflix, where billing information, including the last four digits of your credit card number, is kept visibly on file. Once he has those four digits, he can get into AOL, Microsoft, and other crucial sites. Soon, through patience and trial and error, he'll have your email, your photos, your files—just as he had mine.
Cloudflare Launches Its Security-Focused Mobile VPN, Again
Why do kids like Dictate do it? Mostly just for lulz: to fuck shit up and watch it burn. One favorite goal is merely to piss off people by posting racist or otherwise offensive messages on their personal accounts. As Dictate explains, "Racism invokes a funnier reaction in people.
Hacking, people don't care too much. When we jacked jennarose3xo"—aka Jenna Rose, an unfortunate teen singer whose videos got widely hate-watched in —"I got no reaction from just tweeting that I jacked her stuff.